Ultra-Low-Power Tags & Sensor Nodes Energy harvesting · thin batteries · chipless design
Learn more & sign up
Think Wireless IoT

CIRPASS-2 Proposes Reference Architecture for the EU DPP System

  • Published: June 17, 2026
  • Read: 4 min

  • Source:

    Logo Think WIoT

Share:

CIRPASS-2 has published a draft reference architecture for the European Digital Product Passport system. Its 25 recommendations address interoperability, identity, data integrity, product identification and access, giving developers and integrators a technical basis for future DPP infrastructures.

CIRPASS-2 Tests DPPs in Real Environments

CIRPASS-2 is an Innovation Action funded through the European Commission’s Digital Europe Programme. Coordinated by the French research institute CEA-List, the project runs from May 2024 to April 2027.

Its 13 lighthouse pilots test Digital Product Passports in textiles, electrical and electronic equipment, tyres and construction materials. The project brings together manufacturers, research institutions, standards bodies and technology providers.

On June 10, 2026, CIRPASS-2 published its updated D4.1 reference architecture for the EU Digital Product Passport system. The publication package also includes a recommendations summary sheet dated June 9 and a companion analysis of risks and mitigations dated June 5.

The documents are intended to bridge the gap between the Ecodesign for Sustainable Products Regulation, or ESPR, and the organizations developing technical components for DPP systems.

Architecture Defines Roles and Building Blocks

The reference architecture describes the DPP system as a combination of technical services, governance functions and interoperable data components.

These building blocks are assigned to roles such as responsible economic operators, public authorities, DPP service providers, credential issuers, supply-chain actors and end users.

The document is an exploratory proposal from the CIRPASS-2 consortium. It is not a binding EU specification and should not be interpreted as a requirement issued by CEN-CENELEC JTC 24.

The 25 recommendations cover six areas: interoperability, identity and access management, DPP integrity, DPP access, data management and information display.

JSON-LD and APIs for Interoperability

CIRPASS-2 recommends JSON-LD as the default exchange format for DPP data. It also proposes modular and extensible DPP templates to support semantic interoperability across product groups and software platforms.

For lifecycle management, systems should use the standardized core APIs defined by prEN 18222. Where no authoritative specification exists, the report recommends alignment with established open interfaces.

Products containing components with their own passports should provide persistent links to these sub-DPPs rather than relying only on copied data.

Verifiable Credentials and Controlled Access

The architecture recommends Verifiable Credentials for organizational identities, authenticated roles and DPP records. Role credentials should be issued or guaranteed by trusted bodies.

Protected DPP information should be controlled through role-based access. Public data and role-specific datasets could be provided as linked JSON-LD Verifiable Credentials.

The proposal distinguishes between identity credentials issued by trusted third parties and DPP data credentials issued by the responsible economic operator.

Integrity, Updates and Long-Term Availability

CIRPASS-2 recommends treating the original passport and all later updates as immutable records. Changes should create new timestamped entries rather than overwrite existing information.

Systems should provide signed receipts for updates and preserve independent cryptographic evidence of authenticity. A reporting mechanism should allow authorized parties to flag incorrect or invalid DPPs.

Backup providers should mirror the full DPP dataset, remain synchronized with the primary system and apply the same access controls.

Persistent Access Through Product Identifiers

The responsible economic operator should operate a redirection service that maps a product’s Unique Product Identifier to the current location of its DPP.

This separates the permanent product identifier from a data location that may change during the product lifecycle. CIRPASS-2 also recommends an independent EU fallback redirection service.

Products requiring lifecycle updates, such as repair records, should receive item-level identifiers. High-volume users, including authorities and repair networks, may require caching or local repositories.

Risks Extend Beyond Cybersecurity

The companion analysis covers incorrect data, copied identifiers, manipulated data carriers, unauthorized updates, service failures, tracking and disclosure of commercially sensitive information.

Proposed mitigations include encryption, authentication, access control, rate limiting, update logs, cryptographic signatures, robust data carriers and fallback services.

The report also notes that technical integrity does not prove that a product claim is factually correct. Some risks, including physical manipulation and misuse by authorized parties, may therefore remain.

For system integrators, solution providers and manufacturers, the architecture offers a framework for evaluating data models, APIs, identity systems, identifier resolution and lifecycle updates before large-scale DPP deployment.

Explore the complete CIRPASS-2 reference architecture, all 25 recommendations and the detailed risk analysis: https://cirpass2.eu/project-results/

Contact and Company information

Released by
Think WIoT
Contact:
Anja Van Bocxlaer